Configure Bastion Host Integration
Set up the Azure Bastion host to enable secure SSH tunneling to your VMs.
Once IAM management is configured, you can enable secure SSH access to VMs in your Azure environment. This requires two parts:
Bastion host configuration under the Azure integration (this page)
SSH access setup under Integrations → SSH
Complete IAM management before starting this step. The Bastion host configuration depends on the IAM permissions set up in the previous step.
Prerequisites
Before setting up this integration, you must have an Azure Bastion host already deployed in your Azure environment. P0 does not create the Bastion host for you — it connects to an existing one.
If you have not yet deployed a Bastion host, see Microsoft's Bastion deployment guide to create one first.
Your existing Bastion host must meet the following requirements.
SKU type
Must be Standard or Premium (Basic SKU is not supported because it does not support tunneling)
Tunneling
Must be enabled in the Bastion host configuration
IP configuration
Must have at least one IP configuration
Subnet
Must have an IP configuration with the AzureBastionSubnet subnet
If any of these requirements are not met, P0 displays a specific error message during setup indicating which requirement failed. Update your Bastion host configuration in the Azure Portal and retry.
How subscription Bastion hosts work
P0 installs Bastion host configuration per subscription. Each subscription that needs SSH access must have a Bastion host component configured. P0 supports two configuration modes:
Single Bastion host
Points directly to a Bastion host resource in the subscription
The subscription has its own Bastion host deployed
Subscription Bastion host
References another subscription that already has a single Bastion host configured
Multiple subscriptions share a single Bastion host deployed in a different subscription
Single Bastion host is the default mode. Select this when your subscription contains its own Bastion host. You provide the Bastion host's Azure resource ID, and P0 validates it against the requirements listed above.
Subscription Bastion host allows you to reuse a Bastion host from another subscription. When you select this mode, P0 shows a dropdown of subscriptions that already have a single Bastion host configured. The selected subscription's Bastion host is used for SSH sessions in the current subscription.
A subscription Bastion host can only reference a subscription with a single Bastion host. Chaining references (a subscription Bastion host pointing to another subscription Bastion host) is not supported.
Permissions
During setup, P0 creates a custom Azure role scoped to the target subscription. This role grants P0 the minimum permissions needed to manage Bastion sessions.
Role name: P0 Bastion Host Management - {subscriptionId}
Required permissions:
Microsoft.Network/bastionHosts/read
Read Bastion host configuration and status
Microsoft.Network/bastionHosts/disconnectActiveSessions/action
Disconnect active Bastion sessions during access revocation
This role is assigned to the service principal created during Azure app registration.
Setup steps
In the Azure integration on p0.app, select Bastion Host.
Click Add subscription.
Select a subscription. Only subscriptions with IAM management already installed appear in this list.
Run the Shell or Terraform steps to create the custom role and assign it to the P0 service principal.
The shell commands:
Set the active subscription
Create the
P0 Bastion Host Managementcustom role with the required permissionsAssign the role to the P0 service principal
The Terraform configuration:
Creates a
azurerm_role_definitionresource with the required permissionsCreates a
azurerm_role_assignmentresource assigning the role to the P0 service principal
Select the Bastion host mode:
Single Bastion host (default): Provide the Azure Bastion host resource ID. In the Azure Portal, go to the Bastions service, select your Bastion resource, and copy its Resource JSON to obtain the ID.
Subscription Bastion host: Select from the dropdown of subscriptions that already have a single Bastion host configured.
The Bastion host resource ID follows this format:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupId}/providers/Microsoft.Network/bastionHosts/{bastionHostName}
P0 validates the Bastion host against all requirements listed in the Prerequisites section. If validation fails, you see a specific error message indicating which requirement was not met.
The Bastion host configuration is now complete.
Troubleshooting
"Azure bastion host must be of 'Standard' or 'Premium' type"
The Bastion host uses the Basic SKU
Upgrade the Bastion host to Standard or Premium SKU in the Azure Portal
"Azure bastion host must have tunneling enabled"
Tunneling is disabled on the Bastion host
Enable tunneling in the Bastion host configuration
"Azure bastion host must have at least one IP configuration"
The Bastion host has no IP configuration
Verify the Bastion host is configured correctly in the Azure Portal
"Azure bastion host must have an IP configuration with the 'AzureBastionSubnet' subnet"
The Bastion host is not attached to the correct subnet
Attach the Bastion host to a subnet named AzureBastionSubnet
"Custom role not found in subscription"
The shell or Terraform commands did not complete
Re-run the install commands from step 4
"Custom role is not assigned to the App Client"
The role assignment was not created
Re-run the role assignment command from step 4
Next step
Proceed to Install SSH access control to connect P0 to your Azure VMs.
Last updated